CVE-2026-28810 — Generation of Predictable Numbers or Identifiers in OTP
Severity
6.3MEDIUMNVD
EPSS
0.1%
top 79.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Latest updateApr 13
Description
Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.
The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendatio…
CVSS vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
3VulDB▶
Erlang OTP up to 28.4.2 inet_res/inet_db generation of predictable numbers or identifiers (Nessus ID 305613 / WID-SEC-2026-0998)↗2026-04-13
OSV▶
CVE-2026-28810: Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning↗2026-04-07
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
3Bugzilla▶
CVE-2026-28810 erlang: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs [fedora-all]↗2026-04-07
Bugzilla▶
CVE-2026-28810 erlang/otp: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs↗2026-04-07
Bugzilla▶
CVE-2026-28810 erlang: Erlang/OTP kernel: DNS cache poisoning via predictable DNS transaction IDs [epel-all]↗2026-04-07